PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-10570 idocoh CVE debrief

The Sympl Repeater for ACF and Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via ACF repeater field values in all versions up to, and including, 2.3. This is due to insufficient input sanitization and output escaping in the symp_arfe_replace_content() function, which uses str_replace() to substitute raw ACF field values (retrieved via get_field()) directly into Elementor-rendered HTML without any escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability has a CVSS score of 6.4 and is classified as Medium severity.

Vendor
idocoh
Product
Sympl Repeater for ACF and Elementor
CVSS
MEDIUM 6.4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-08
Original CVE updated
2026-07-08
Advisory published
2026-07-08
Advisory updated
2026-07-08

Who should care

Authenticated attackers with Author-level access and above could inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This could lead to unauthorized modifications to the website, theft of sensitive information, or other malicious activities. Website administrators, security teams, and developers who use the Sympl Repeater for ACF and Elementor plugin for WordPress should be aware of this vulnerability and take necessary actions to mitigate it.

Technical summary

The vulnerability exists in the symp_arfe_replace_content() function, which uses str_replace() to substitute raw ACF field values directly into Elementor-rendered HTML without any escaping. This allows authenticated attackers with Author-level access and above to inject arbitrary web scripts. The vulnerability affects all versions up to, and including, 2.3 of the Sympl Repeater for ACF and Elementor plugin for WordPress.

Defensive priority

Medium priority due to the CVSS score of 6.4 and the potential for authenticated attackers to inject arbitrary web scripts.

Recommended defensive actions

  • Apply the latest patch or update to version 2.4 or later
  • Restrict access to the plugin's settings and functionality to authorized personnel only
  • Implement additional security measures such as Web Application Firewall (WAF) rules to detect and prevent cross-site scripting attacks
  • Monitor for suspicious activity and implement incident response plans
  • Consider implementing compensating controls such as Content Security Policy (CSP) to mitigate the impact of a potential exploit
  • Review and update the plugin's configuration to ensure that it is properly secured
  • Perform regular security audits and vulnerability assessments to identify and address potential issues

Evidence notes

The CVE record was published on 2026-07-08T06:16:20.720Z and has not been modified since then. The NVD entry is currently Received. The Sympl Repeater for ACF and Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via ACF repeater field values in all versions up to, and including, 2.3. This vulnerability exists due to insufficient input sanitization and output escaping in the symp_arfe_replace_content() function. The function uses str_replace() to substitute raw ACF field values (retrieved via get_field()) directly into Elementor-rendered HTML without any escaping, allowing authenticated attackers with Author-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-08T06:16:20.720Z and has not been modified since then. The NVD entry is currently Received.